SQL Server Attacks: Hacking, Cracking, and Protection Techniques

SQL Server attacks strike right at the heart of a business. Fortunately, you can secure a database server by implementing proper coding practices and ensuring that the SQL server is configured properly. Seth Fogie and Dr. Cyrus Peikari uncover two main methods for hacking SQL servers – and show how you can guard against them.

From the author of

From the author of

In this information age, the data server has become the heart of a
company. This one piece of software controls the rhythm of most organizations
and is used to pump information lifeblood through the arteries of the network.
Because of the critical nature of this application, the data server is also the
one of the most popular targets for hackers. If a hacker owns this application,
he can cause the company's "heart" to suffer a fatal arrest.

Ironically, although most users are now aware of hackers, they still do not
realize how susceptible their database servers are to hack attacks. Thus, this
article presents a description of the primary methods of attacking database
servers (also known as SQL servers) and shows you how to protect yourself
from these attacks.

You should note this information is not new. Many technical whitepapers go
into great detail about how to perform SQL attacks, and numerous vulnerabilities
have been posted to security lists that describe exactly how certain database
applications can be exploited. This article was written for the curious non-SQL
experts who do not care to know the details, and as a review to those who
do use SQL regularly.

What Is a SQL Server?

A database application is a program that provides clients with access
to data. There are many variations of this type of application, ranging from the
expensive enterprise-level Microsoft SQL Server to the free and open source
mySQL. Regardless of the flavor, most database server applications have several
things in common.

First, database applications use the same general programming language known
as SQL, or Structured Query Language. This language, also known as a
fourth-level language due to its simplistic syntax, is at the core of how a
client communicates its requests to the server. Using SQL in its simplest form,
a programmer can select, add, update, and delete information in a database.
However, SQL can also be used to create and design entire databases, perform
various functions on the returned information, and even execute other
programs.

To illustrate how SQL can be used, the following is an example of a simple
standard SQL query and a more powerful SQL query:

Simple: "Select * from dbFurniture.tblChair"

This returns all information in the table tblChair from the database
dbFurniture.

Complex: "EXEC master..xp_cmdshell 'dir
c:\'"

This short SQL command returns to the client the list of files and folders
under the c:\ directory of the SQL server. Note that this example uses an
extended stored procedure that is exclusive to MS SQL Server.

The second function that database server applications share is that they all
require some form of authenticated connection between client and host. Although
the SQL language is fairly easy to use, at least in its basic form, any client
that wants to perform queries must first provide some form of credentials that
will authorize the client; the client also must define the format of the request
and response.

This connection is defined by several attributes, depending on the relative
location of the client and what operating systems are in use. We could spend a
whole article discussing various technologies such as DSN connections, DSN-less
connections, RDO, ADO, and more, but these subjects are outside the scope of
this article. If you want to learn more about them, a little Google'ing
will provide you with more than enough information. However, the following is a
list of the more common items included in a connection request.

Database source

Request type

Database

User ID

Password

Before any connection can be made, the client must define what type of
database server it is connecting to. This is handled by a software component
that provides the client with the instructions needed to create the request in
the correct format. In addition to the type of database, the request type can be
used to further define how the client's request will be handled by the
server. Next comes the database name and finally the authentication information.

All the connection information is important, but by far the weakest link is
the authentication informationor lack thereof. In a properly managed
server, each database has its own users with specifically designated permissions
that control what type of activity they can perform. For example, a user account
would be set up as read only for applications that need to only access
information. Another account should be used for inserts or updates, and maybe
even a third account would be used for deletes. This type of account control
ensures that any compromised account is limited in functionality. Unfortunately,
many database programs are set up with null or easy passwords, which leads to
successful hack attacks.